Allow import peppered password hashes

[ci42]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

We need support for importing peppered (and salted) password hashes.

Describe your ideal solution

The PHC string format has no support for pepper values and they shouldn't stored alongside the password hash anyway. The hash comparsion in hash_comparator.go uses free functions which can not hold state like the pepper value (secret salt).

I would propose to introduce an interface analogous to the Hasher interface, like this:

type HashComparator interface {
    // compare password and hash
    Compare(password []byte, hash []byte) error
    // wether the HashComparator understand the hash format
    Understands(hash []byte) bool
}

and to rewrite the free functions in hash_comparator.go to types which implements the above interface. The types should be configured like hashers in the kratos configuration file, so that only configured hash comparator will be checked in Compare and not all supported hash comparators.

This will make it easier to support other legacy hashing algorithms. Changing hash_comparator.go would no longer be necessary to add new hashing algorithms, you could just add a new file with the implementation.

Workarounds or alternatives

Reset the passwords of all imported users, which is not desirable.

Version

0.10.1

Additional Context

Support for other legacy hashing algorithms has been discussed in #2422 and implemented in #2725 and #2741.

[aeneasr]

The PHC format allows us to define additional parameters which could also, in theory, be used to transport the pepper: $sha$pepper=foo,salt=bar$.... While probably counter intuitive (because we don't want to store the pepper alongside the password) it would be a simpler approach that fits with the existing approach and has benefits:

1. Works potentially for more than one algorithm
2. If the pepper changed over time (not uncommon), we can import passwords anyways

The pepper will be removed as soon as the user signs in once, so I think the security trade off is ok, especially because pepper for password hashing is a rather old and uncommon method today.

[ci42]

Thanks for your feedback @aeneasr.

especially because pepper for password hashing is a rather old and uncommon method today.

Even if they are uncommon today, pepper-likes are still recommended by NIST (secret salt in NIST lingo): In addition, verifiers SHOULD perform an additional iteration of a key derivation function using a salt value that is secret and known only to the verifier. (...) The secret salt value SHALL be stored separately from the hashed memorized secrets

If the pepper changed over time (not uncommon), we can import passwords anyways

This can easily be achieved in my proposed solution by using a pepper-id $pssha$pepper-id=<pepper-id>, salt=yummy$...

The pepper will be removed as soon as the user signs in once, so I think the security trade off is ok,

I would disagree here. Consider importing several million users., surely some will never log in again, even if their last login was just before the import. Or, in an OIDC scenario, users may obtain a fresh token through a refresh token grant flow for a very long time and don't need to (re-)authenticate. This will leave the pepper value exposed in the phc for an indefinite period of time.

IMHO, my proposed solution has additional benefits:

1. Using a uniform interface makes the code more comprehensible
2. It would not only allow peppered hashes but also makes it easy to support encrypted hashes (like dropbox does - unfortunately using the word "pepper" for the secret key) like $aes-gcm-256-sha$aes-key-id=<key-id>, salt=yummy$<base64 encoded salt>$<base 64 encoded aes encrypted hash>

[ci42]

Please have a look at the current version of #3057. I've simplified it a bit so that does not change the API of the hasher package.

[github-actions]

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas on how you could contribute towards resolving it;
• leave a comment and describe in detail why this issue is critical for your use case;
• open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️